What do we know about the curious, secretive NSO Group? Very little – but after this week, an awful lot more than we did before.
The group, an Israeli-based but American-owned company, specialises in creating what it calls tools against crime and terrorism. But the security researchers call them something else: a cyber arms dealer.
On Thursday, the NSO Group was thrust into international headlines after being credited with creating malicious software capable of “jailbreaking” any iPhone with just one tap of the screen, and then installing vicious spyware.
Factfile: NSO
- Founded in 2010 and has had several different names
- Based in Herzliya, Israel, and owned by US investment firm Francisco Partners
- Could be worth $1bn
Security-savvy human rights lawyer Ahmed Mansoor found himself targeted by the attack when his iPhone received a message promising “secrets” about torture happening in prisons in the United Arab Emirates.
Had he tapped on the link, the phone would have been plundered. Huge amounts of private data: text messages, photos, emails, location data, even what’s being picked up by the device’s microphone and camera.
Thankfully, he didn’t do that. Instead, he passed on the message to experts at Citizen Lab and Lookout, who peeled back the covers on what they described as one of the most sophisticated cyber weapons ever discovered. With it came evidence that it was the NSO Group’s expertise at the heart of it all.
Big money deals
Earlier this year, UK-based watchdog Privacy International launched a database tracking the global trade of cyber arms. Its intention was to track deals between cyber arms companies and governments.
The NSO Group, founded in 2010 and based in Herzliya, a tech hub north of Tel Aviv, received likely funding from the elite 8200 Intelligence Unit, a start-up initiative supported by the Israeli military.
Forbes reports that the 8200 Intelligence Unit played a significant role in supporting and financing Stuxnet, a cyber attack on Iran conducted jointly by the US and Israel.
The Surveillance Industry Index (SSI) listed substantial deals between the NSO Group and government entities in Mexico and Panama, amounting to millions of dollars.
This is the tip of the iceberg – press reports of sales rely on leaks and anonymous sources, and so there are likely many more unknown to the general public.
In 2015, the NSO Group’s owners – US-based venture capital firm Francisco Partners – were looking to sell the company at a value of around $1bn. Neither firm has responded to the BBC’s requests for further comment.
But the company has gone no further than that in describing who its customers are, and what exactly they buy. It does say it has no control over how its tools are used and for what purpose.
Outstanding work
Whatever the origin of the NSO Group, what has been created is an extraordinarily talented team of cyber specialists.
The attack on Mr Mansoor, had it worked, would have utilised not one but three zero day attacks. To discover one zero day is rare, to find three is outstanding.
Clues to the origin of the attack came when the experts looked at the messages Mr Mansoor received.
When the researchers analysed the spyware’s code, they noticed apparent references to “Pegasus”, the name given, by the NSO Group, to one of its spying products.
Last year, the public became aware of details about Pegasus when a cyber arms firm named the Hacking Team experienced a breach, resulting in the leak of promotional material related to Pegasus.
That has neutralised this specific attack, sure, but there’ll likely be many more that remain hidden from view.
In a rare interview with Defense News, the NSO Group’s co-founder, Omri Lavie, said their attacks would “leave no trace”.
Soon the NSO Group will rejoin the rest of the money-spinning cyber arms trade back in the shadows.